Help with GL-AR750S-Ext firewall, please

Product Discussion
#1

I have the following setup for someone.

ISP WAN (203.27.y.z)
Main router (203.27.y.z) - Under building/estate control, appears to pass thru WAN IP
  - client (192.168.x.x) or (172.x.x.x - I need to check) 
  - client (192.168.x.x) or (172.x.x.x)
  - etc etc
  - AR750S router (203.27.y.z) - Under my control, has picked up the WAN IP
    - client (192.168.8.x) - Currently - this range can be changed to anything
    - client (192.168.8.x)
    - client (192.168.8.x)

The AR750S provides DNS, (NextDNS), for the clients it handles, (192.168.8.x), but unfortunately it’s also handling incoming DNS requests from the rest of the clients behind the Main router.

So basically I want pick a DHCP assignment range outside the Main router and then I want to block any incoming requests from Class A,B,C Private that are outside my chosen range for the clients behind the AR750S router.

Can someone tell/show me what rules I need to implement in the Luci interface to implement the above, (currently they’re the default for f/w 3.203)?

I have another AR750S (f/w 3.211) I can experiment with.

Thanks

#2

If I understand correctly from you diagram, the GL-AR750S WAN is connected to a Main router LAN and, hence, it should have a 192.168.x.x IP address, like the other clients also connected to the Main router LAN,. There should only be 203.27.y.z Public IP addresses when connected to the ISP WAN.

Check that both the Ethernet cable from the GL-AR750S WAN port and the Ethernet cables from the other clients are all plugged directly into the Main router.

If you are using wifi connectivity, then check that the GL-AR750S WWAN and the other clients WLAN are all connected to the Main router SSID.

For testing, it would good to define different subnets (e.g., 192.168.y.x for GL-AR750S and 192.168.x.x for other clients), in order to confirm which is connected to which.

#3

Thanks for the reply.

I have no access to the Main router or any of it’s clients, (hence the ‘Under building/estate control’), the only things I can change are those that I control, the AR750S and any of it’s clients.

I’ll need to visit the site I guess to try things, I was hoping there would be a way via the Luci Firewall to block incoming from, for example, any Class A,B,C Private IP that doesn’t match what the DHCP range is for the clients behind the AR750S.

eg. AR750S DHCP assigns 10.200.200.x, the firewall blocks any DNS queries from any Private IP that isn’t 10.200.200.x

#4

My suspicion is that the cables are not connected properly:

  1. GL-AR750S WAN port has IP address 203.27.y.z may be because it is connected to the ISP WAN, not the Main router.

  2. Other clients getting DNS from GL-AR750S may be that one of its LAN ports is connected to the Main router, so the other clients may be getting their IP and DNS from your router and going through your router to the Internet through the ISP WAN, instead of the Main router.

That would explain the behaviour you described and I cannot think another explanation. If so, then there is no way for the firewall and LuCi on the GL-AR750S to resolve it.

#5

The ports are connected correctly, the misunderstanding comes from Goodcloud reporting the WAN IP for the AR750S instead of the LAN IP it’s been assigned, (which the GL.iNet app does show).

The IP on its WAN interface is 10.0.3.160 with a gateway of 10.0.0.1.

So the question is still how do I block incoming Class A,B,C Private IPs on the WAN interface, dest port 53?

#6

I am scratching my head on this and there may be something missing:

Your GL-AR750S WAN interface is connected to the Main router and gets IP 10.0.3,160 from the Main router’s DHCP.

From your diagram, the other clients are also connected to the Main router, so they should also get IP’s 10.0.3.x. from the Main router’s DHCP, not 192.168.x.x or 172.x.x.x.

Leaving aside this IP issue, the firewall on your GL-AR750S by default blocks traffic from the WAN from the other clients, as long as the device has been set up in Router network mode (MORE SETTINGS → Network mode).

When the GL-AR750S is in Router network mode, the firewall by default blocks all DNS traffic on Port 53 from the WAN, unless you have opened up the firewall or added port forwarding.

The other clients should have DNS Public IP’s assigned from the Main router’s DHCP (e.g., Google-8.8.8.8, OpenDNS-208.67.222.222, Cloudflare-1.1.1.1), not your router’s Private IP 10.0.3.160 and they should not even be trying to contact your device.

#7

Like I pointed out I need to check what DHCP range(s) the Main router assigns which I can only do on-site by an IP scan. Unfortunately the AR750S is remote, (a 50km drive), and I’ve got no way to access it’s interface remotely through the Main router because I can’t set up any port forwarding.

The AR750S is in Routing mode, it’s never been set to anything else.

As for DNS requests, something is causing them and the only clients connected to the AR750S are two computers via ethernet (that are turned off most of the time) and an Android TV device in standby most of the time via WiFi.

Not talking about a small number of requests either, ~880k/day to Google services, (fcm and connectivitycheck), which indicates a number of Android phones are able to access the DNS.
Currently something like 18M requests within the last 30 days so far, by comparison two android phones & two android tablets on my router have made ~12k within the last 30 days.

I’ve since found I can block all incoming LAN IPs, (except 10.0.0.1), on the WAN interface by going through the LuCI firewall so next time I’m on-site I’m going to reset the AR750S to defaults and just add the DNS settings (NextDNS) and the firewall rules.